Samsung Pay: Tokenized Numbers, Flaws and Issues

March 22, 2017 (at 4 p.m.) in Defense and Management

Samsung announced many layers of security to its Pay app. Mentioning that its new payment method will not store or share any type of user's credit card information protecting its customers; Samsung Pay is trying to become one of the securest approaches offering functionality and simplicity to its customers.

This app is a complex mechanism which has some limitations regarding security. Using tokenized numbers and implementing the new Magnetic Secure Transmission (MST) technology and Near Field Communication(NFC) protocol, do not guarantee that every token generated with Samsung Pay would be applied to make a purchase with the same Samsung device. That means that an attacker could steal tokens from Samsung Pay and use them without restrictions implementing other methods or hardware.

Inconvenient but practical is that Samsung's customers could utilize its app in airplane mode. However, this makes impossible for Samsung Pay to have a full control on the tokens pile. Even when the tokens have their own restrictions, the tokenization process gets weaker after the app generates the first token relating a specific card.

How random is a Samsung Pay tokenized number? It is really necessary to understand how the tokens heretically share similarities in the generation process, and how this affect the end users' security.

Salvador Mendoza

Salvador Mendoza is a security researcher and had the opportunity to participate in conferences like Black Hat USA, DEFCON, Ekoparty, BugCON and DerbyCon.